EP3000216B1 - Authentifizierung eines gesicherten datenkanals mit hilfe eines geteilten geheimnisses - Google Patents

Authentifizierung eines gesicherten datenkanals mit hilfe eines geteilten geheimnisses Download PDF

Info

Publication number
EP3000216B1
EP3000216B1 EP14741499.9A EP14741499A EP3000216B1 EP 3000216 B1 EP3000216 B1 EP 3000216B1 EP 14741499 A EP14741499 A EP 14741499A EP 3000216 B1 EP3000216 B1 EP 3000216B1
Authority
EP
European Patent Office
Prior art keywords
shared secret
authenticated
authentication
data channel
data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
EP14741499.9A
Other languages
English (en)
French (fr)
Other versions
EP3000216A1 (de
Inventor
Neumann LIBOR
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Aducid Sro
Original Assignee
Aducid SRO
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Aducid SRO filed Critical Aducid SRO
Publication of EP3000216A1 publication Critical patent/EP3000216A1/de
Application granted granted Critical
Publication of EP3000216B1 publication Critical patent/EP3000216B1/de
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/061Network architectures or network communication protocols for network security for supporting key management in a packet data network for key exchange, e.g. in peer-to-peer networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/18Network architectures or network communication protocols for network security using different networks or channels, e.g. using out of band channels
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/061Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00 applying further key derivation, e.g. deriving traffic keys from a pair-wise master key

Definitions

  • the invention relates the method of verification of the electronic identity of a secured data channel user during remote electronic communication between two parties.
  • a secured data channel is used in case of remote access of users or systems to protected assets in the information systems of the service provider.
  • Protected assets may be of variable character - these may be confidential information or information designed for publication, but allowed to be changed by authorised persons only or it may relate to realisation of various actions or transactions using information and communication technologies, or it may concern setting of instructions for various devices, obtaining measured or otherwise obtained information or data.
  • Data channel security is the limiting factor of the protection level of protected assets during remote access.
  • the general level of protected assets security cannot be higher than the data channel security. That emerges from general rules of security, where the general security level is set by the level of the weakest element security.
  • the data channel security is limited by authentication, i.e. verified establishment of identity of systems or users respectively operators or owners of systems on both ends of data channel.
  • Authentication - the verification of electronic identity, typically performed on remote basis before target electronic service use - is performed before creation of a secured data channel or as a part of the data channel creation, before start of data transfer through the data channel.
  • the data channel is used for protection of data transfer in case of remote access to the target electronic service as protection of an authorised user from access of unauthorised users, e.g. an attacker, to the service.
  • a secured data channel is protected by an authenticated shared secret, which is known only to systems on both data channel ends.
  • the authenticated shared secret creation includes the identity check - authentication of users respectively systems on both data channel ends.
  • US 2009/0288143 solves the system of overcoming the possible attacks, including the MITM attack by relying on multi-factor authentication which can withstand the attack as long as the attacker is unable to acquire at least one of the authentication secrets.
  • the shared secret is created only at the end of the authentication process and it is an authenticated shared secret.
  • the data channel is created without authentication or with partial authentication and it is consequently used for user's authentication for target application.
  • the data channel uses non- authenticated shared secret and it cannot act as a secure one, as it may be abused by an attacker, as there was not performed any full-value data channel authentication and the attacker may abuse or otherwise attack even the authentication of the user for the target application and consequently successfully attack even the target application.
  • US2010/042838 A1 concentrates on authentication and secure communication with small, low-power devices and between devices communicating through an unsecured medium. US2010/042838 A1 relies on Diffie-Hellman Key agreement wherein at least one party to the communication references its public key and the key is retrieved from an outside storage (USB stick, trusted database). This key is then compared to the key transmitted through the data channel to be used for authenticated, and authentication only proceeds if both keys match.
  • the shared secret is created only at the end of the authentication process and it is created as an authenticated shared secret.
  • External authentication is not used for data channel authentication at the present time.
  • the user respectively the system to be authenticated have available the authentication secrets (credentials) that they may use directly for authentication for example in case of authentication by password or they will use the secret to perform an appropriate cryptographic operation needed for authentication as in case of using authentication by a Public Key Infrastructure.
  • the aim of the invention is to eliminate the current weak point of electronic communication security, i.e. insufficient, non-functional, weak or hardly usable authentication of secure channel and to increase in this way the resistance of mainly remote electronic communication against various even highly qualified attacks and to significantly decrease in this way the risks of electronic communication.
  • the aim of the presented invention is to simplify the use of external authentication by simplifying the data transfer between the external authentication system and data channel, respectively target application to a one-way transfer at one moment. That allows use of other technologies for data transfers - they are commonly available and they could not be used for more complicated methods of data transfer.
  • the subject of the invention is the method of a secured data channel authentication, characterised by the fact that at first a non-authenticated encrypted data channel is created between two parties using a non-authenticated shared secret obtained based on use of ordinary cryptographic methods, e.g. using key-agreement, guaranteeing existence of only two ends of the data channel or a temporarily generated pair of cryptographic keys.
  • the information needed for authentication of a user and data channel may be (confidentially) transferred by e.g. external authentication service URL, challenge, authentication / data session identifier.
  • the data channel ending on both sides creates a cryptographic derivate of non-authenticated shared secret of the data channel, e.g. using a pseudo-random cryptographic function using the signature by the shared secret.
  • the method of derivate creation guarantees that both derivates of shared secret calculated on both endings of the data channel have an identical value in case of the shared secrets to be identical.
  • the calculation may be performed e.g. using ordinary asymmetrical pseudo-random algorithms of the type HASH or HMAC.
  • the data derived from the non-authenticated shared secret can be the derivate of the non-authenticated shared secret or a modified derivate of the non-authenticated shared secret, e.g. obtained by modification with additional data or a derivate calculated from the non-authenticated shared secret and additional data or a derivate calculated from non- authenticated shared secret and additional data and further modified, e.g. by additional data.
  • the modification by additional data may be performed by the data channel endings or by target applications on each side of the data channel and/or by the side of the authentication system. The modification may be performed on both sides of the data channel by the same component or by a different component on each side of the data channel.
  • the additional and/or supplemental data may be created by the data channel ending and/or by the target application and/or by the side of the external authentication system.
  • the additional and/or supplemental data may be created on both sides of the data channel by the same component or by a different component on each side of the data channel.
  • the external authentication After the external authentication receives data derived from the non-authenticated shared secret on both ends of the data channel, the external authentication performs authentication of passed data derived from non-authenticated shared secret of the data channel, usually by using user's or provider's authentication secret accessible by external authentication, all of that in such a way that there is connected in a cryptographically reliable way the authentication of data derived from non-authenticated shared secret and authentication of the user respectively the system, e.g. using a signature or encrypting by the secret or by otherwise authenticated secret.
  • the external authentication is a special system, a set of programmes and devices or an electronic service able to independently perform authentication of users respectively systems and other authenticated secure operations including authentication of data derived from non- authenticated shared secret of a data channel which is separated from the data channel and it does not use the data channel for transfer of information.
  • External communication means may e.g. use the technology of local communication, like easily and intuitively performable optical communication using scanning and displaying of QR codes, like technologies of wireless communication on short distances, optical communication, local network, built-in internal communication in the device or other ordinary appropriate means like e.g. internal network of the service provider or internal protected network of "cloud" service providers respectively secure remote communication.
  • Authentication of data derived from non-authenticated shared secret may be performed using the External authentication system e.g. based on comparison of derivates developed from data derived from non-authenticated shared secret and authenticated secret of the user and/or system or it may be performed using the External authentication system via a cryptographic signature using the temporary signature key authenticated during authentication of the user and/or system using the External authentication; or it may be performed using the External authentication system by encrypting using a temporary encryption key authenticated during authentication of the user and/or system using the External authentication system; or it may be performed using the External authentication system by comparison of derivates developed from data derived from non-authenticated shared secret and temporary secret authenticated during authentication of the user and/or system using the External authentication system; or it may be performed using the External authentication system in such a way that handed over data derived from the non-authenticated shared secret of the data channel will be used by the External authentication system for authentication of the user in such a way that these will replace the challenge while using the authentication protocols of the challenge-response type.
  • the result of authentication may consequently pass the external authentication (authentication system / service) to the target application including relevant information on authenticated user or system as well as on the user or system on the other side of the data channel.
  • the data channel is authenticated and it becomes a secure authenticated data channel that may be used by an authenticated target application for secure communication with authenticated user of the target application.
  • the user means a real person using the relevant electronic device as well as the electronic system or electronic device itself.
  • the way of authentication of secured data channel may be performed for example in such a way that there is created a protected non-authenticated data channel 1 between sides A and B, and there is available the External authentication system 2.
  • the data channel 1 is terminated on both sides by the Ending 3 of the data channel on side A and Ending 4 of the data channel on side B.
  • the sides A and B of the Data channel 1 and sides A and B of the External authentication system 2 may communicate via wide area or local network, e.g. Internet 10.
  • Both endings 3 and 4 of the data channel 1 have available a secret information - the Shared secret 5, which was developed based on ordinary procedure of generation of a non-authenticated shared secret, e.g. by using the cryptographic algorithm of the key-agreement.
  • the shared secret 5 is used in an ordinary way by both endings 3 and 4 of the data channel 1 so as to arrange security of data transferred by the Data channel 1 . But at this moment it has not been proved that the data are coming from the right subject, respectively that they reach the right subject, as there has not been performed any authentication by now.
  • the External authentication system 2 For arrangement of authentication of the Data channel 1 there is consequently used the External authentication system 2 in such a way that the relevant Ending 3 and 4 of the data channel 1 calculates from the Shared secret 5 the Derivate 6 of the Shared secret 5 in such a way that on request of the Target application 7 on side A there is calculated the Derivate 6 of the Shared secret 5 by the Ending 3 of the Data channel 1 on side A and on request of the target application 8 on side B there is calculated the Derivate 6 of the Shared secret 5 by the Ending 4 of the Data channel 1 on side B.
  • the way of calculation guarantees that both of the Derivates 6 of the shared secret 5 calculated by both of the Endings 3 and 4 of the data channel 1 have the same value in case of the Shared secrets 5 to be identical.
  • the calculation may be performed e.g. using the ordinary asymmetrical pseudo-random algorithms of the HASH resp. HMAC type.
  • the Derivate 6 of the shared secret 5 is consequently passed to the External, authentication system 2 via the External interface 15, which consequently performs authentication of both of the sides of communication including authentication of the Derivate 6 of the shared secret 5 of the data channel 1 .
  • the authentication of the data channel 1 in connection with the sides of communication and there is proved whether the data transferred through the data channel 1 come from the right subject and that they are transferred to the right subject.
  • the Derivate 6 of the shared secret is passed to the External authentication system 2 in such a way that Ending 3 of the data channel 1 on side A passes the Derivate 6 of the shared secret 5 to the Target application 7 on side A, on the request of which the Derivate 6 of the shared secret 5 was calculated by the Ending 3 of the data channel 1 on side A and the Target application 7 on side A passes the Derivate 6 of the shared secret 5 through the external communication means via the External interface 15 to side 11 of the External authentication system 2 on side A.
  • Ending 4 of the data channel 1 on side B passes the Derivate 6 of the shared secret 5 to the Target application 8 on side B, on the request of which the Derivate 6 of the shared secret 5 was calculated by the Ending 4 of the data channel 1 on side B and the Target application 8 on side B passes the Derivate 6 of the shared secret 5 through external communication means to the side 12 of the External authentication system 2 on side B.
  • the way of hand over through the external communication means of the Derivate 6 of the shared secret 5 via the External interface 15 is out of the Data channel 1 and it is performed in an ordinary way, e.g. by using the technologies of local communication like technologies of wireless communication to short distances, optical communication, local network or other ordinary appropriate means like e.g. internal network of the service provider.
  • the way of protection of transfer of the Derivate 6 of the shared secret 5 and the way of use of the External authentication system 2 arranges the level of security that the Target application 7 and 8 on the relevant side is used by the same user as the External authentication system 2.
  • the result 13 of the authentication is passed to the target application including other relevant information on authenticated user or system on side A as well as on user (or system) on side B.
  • Another way of authentication of the secured data channel may be performed e.g. in such a way that there is developed a protected non-authenticates Data channel 1 between the sides A and B at first, e.g. by using a generally available implementation of encrypted data channel like TLS according to RFC 5246, which does not use the authentication option, and there is available the External authentication system 2.
  • the Data channel 1 is terminated on both sides by Ending 3 of the data channel on side A and Ending 4 of the data channel on side B. Both of the endings 3 and 4 of the data channel 1 have available a secret information - the Shared secret, which was generated based on ordinary procedure of generation of a non-authenticated shared secret, e.g. by using the cryptographic algorithm of the key-agreement.
  • the shared secret 5 is used in an ordinary way by both endings 3 and 4 of the data channel 1 so as to support security of data transferred by the Data channel 1 . But at this moment it has not been proved that the data are coming from the right subject, respectively that they reach the right subject, as there has not been performed any authentication by now.
  • the Target application 7 on side A passes for transfer to the Ending 3 of the data channel 1 on side A the Data 9 of the target application to be transferred in encrypted form by the Data channel 1 using the Shared secret 5, decrypted by Ending 4 of the data channel on side B and passed to the Target application 8 on side B.
  • the transferred Data 9 of the target application may contain e.g. technical information needed for correct function of the External authentication system 2, like the network address of the External authentication system - side A 11 , identifier of authenticated session, other information designed for improvement of security like "nonce" i.e. additional information with high entropy.
  • Target application 7 on side A processes Data 9 designed for transfer and Target application 8 on side B processes the transferred Data 9 in such a way that makes the Additional data 14 from them, always on the relevant side.
  • the way of calculation guarantees that both the Additional data 14 calculated by both of the Target applications 7 and 8 have an identical value in case of the transferred Data 9 to be correctly transferred and decrypted.
  • the External authentication system 2 For arrangement of authentication of the data channel 1 there is consequently used the External authentication system 2 in such a way that the relevant Ending 3 and 4 of the data channel 1 calculates from the Shared secret 5 and from Additional data 14 the Derivate 6 of the shared secret 5 - it is done in such a way that on request of the Target application 7 on side A, passing the Additional data 14 created by the Target application 7 on side A there is calculated the Derivate 6 of the shared secret 5 by the Ending 3 of the data channel on side A and on request of the Target application 8 on side B, passing the Additional data 14 developed by the Target application 8 on side B, there is calculated the Derivate 6 of the shared secret 5 by the Ending 4 of the data channel on side B.
  • the way of calculation guarantees that both of the Derivates 6 of the shared secret 5 calculated by both of the Endings 3 and 4 of the data channel have an identical value in case of all the inputs to be identical.
  • the calculation may be performed using e.g. ordinary asymmetrical pseudo-random algorithms of the HASH resp. HMAC type, e.g. using the procedure according to RFC 5705 (Keying Material Exporters for Transport Layer Security (TLS)).
  • TLS Transport Layer Security
  • the Derivate 6 of the shared secret 5 is passed to the External authentication system 2 via the External interface 15, which consequently performs the authentication of the sides of communication, including authentication of the Derivate 6 of the shared secret 5 of the data channel 1 .
  • the authentication of the Data channel 1 in connection with the sides of communication and it is proved whether the data transferred through the data channel come from the right source and whether they are transferred to the right subject.
  • the Derivate 6 of the shared secret is passed to the External authentication system 2 in such a way that Ending 3 of the data channel on side A passes the Derivate 6 of the shared secret 5 to the target application 7 on side A, on the request of which the Derivate 6 of the shared secret 5 was calculated by the Ending 3 of the data channel 1 on side A and the Target application 7 on side A passes the Derivate 6 of the shared secret 5 through external communication means via the External interface 15 to the External authentication system 11 on side A.
  • Ending 4 of the data channel on side B passes the Derivate 6 of the shared secret 5 to the Target application 8 on side B, on the request of which the Derivate 6 of the shared secret 5 was calculated by Ending 4 of the data channel on side B and the target application 8 on side B passes the Derivate 6 of the shared secret 5 through external communication means to the External authentication system 12 on side B.
  • the way of hand over by the external communication means of the Derivate 6 of the shared secret 5 via the External interface 15 is out of the Data channel 1 and it is performed in an ordinary way, e.g. by using the technologies of local communication, like easily and intuitively performable optical communication using scanning and displaying of QR codes, built-in internal communication in the device or internal protected network of "cloud" service providers respectively secure remote communication.
  • Another way of authentication of the secured data channel may be performed e.g. in such a way that - similarly to previous descriptions - there is developed a protected non-authenticates Data channel 1 between the sides A and B at first, where both of the endings 3 and 4 of the data channel have available a non-authenticated secret information - the Shared secret 5.
  • Target application 7 on side A adds to the transfer of Ending 3 of the data channel 1 on side A the Data 9 of the target application and it is transferred in an encrypted form through the Data channel 1, from which there are developed the Additional data 16 always on the relevant side similarly like in case of Additional data in previous example.
  • the External authentication system 2 For arrangement of authentication of the data channel 1 there is consequently used the External authentication system 2 in such a way that relevant Ending 3 and 4 of the data channel calculates from the Shared secret 5 the Derivate 6 of the shared secret 5 in such a way that on request of the Target application 7 - side A there is calculated the Derivate 6 of the shared secret 5 by the Ending 3 of the data channel 1 on side A and on request of the Target application 8 on side B there is calculated the Derivate 6 of the shared secret 5 by the Ending 4 of the data channel 1 on side B.
  • the target applications 7 and 8 on side A and B perform modification of the Derivate 6 of the shared secret 5 using the Additional data 16 and they pass to the External authentication system 11 and 12 on side A and B the modified Derivate 6 of the shared secret 5.
  • the modification of the derivate 6 may be performed using ordinarily used mathematic algorithms. For example it is possible to use ordinary asymmetric pseudo-random algorithms of the HASH resp. HMAC type or concatenation.
  • the selected method of calculation guarantees that modification of the Derivate 6 of the shared secret 5 performed by the Target application 7 on side A and by the Target application 8 on side B using the original Derivate 6 of the shared secret 5 and Additional data 16 have the same value in case of all of the inputs to be identical.
  • the way of authentication of a secured data channel may also be performed in such a way that - similarly to previous descriptions that there is developed a protected non-authenticates Data channel 1 between the sides A and B at first, when both of the Endings 3 and 4 of the data channel 1 have available a secret information - the Shared secret 5.
  • the External authentication system 11 on side A develops Additional data 16, i.e. a part of technical information needed for correct function of the External authentication system 2, like the network address of the External authentication system 11 on side A, identifier of authenticated session, respectively other information designed for improvement of security, like e.g. generally used "nonce" i.e. an additional information with high entropy.
  • the additional data 16 are passed by the External authentication system 11 on side A via the External interface 15 on side A to the Target application 7 on side A and it passes it - after possible completion or modification - for transfer to Ending 3 of the data channel 1 on side A as Data 9 of the target application, to be transferred in an encrypted form through the Data channel 1 using the Shared secret 5, decrypted by Ending 4 of the data channel 1 on side B and handed over to the Target application 8 on side B.
  • the Target application 8 on side B processes the transferred information in such a way that creates Additional data 16 from them. It is possible to use generally used mathematic algorithms where the way of calculation guarantees that both Additional data 16 i.e. Additional data 16 created by the External authentication system 11 on side A and Additional data 16 created by the Target application 8 on side B have the identical value in case of the transferred information to be transferred and decrypted in a correct way.
  • the External authentication system 2 For arrangement of authentication of the data channel 1 there is consequently used the External authentication system 2 in such a way that based on request of the Target application 7 on side A there is calculated the Derivate 6 of the shared secret 5 by the Ending 3 of the data channel on side A and it is passed via the External interface 15 without any changes to the External authentication system 11 on side A.
  • the External authentication system 11 on side A performs modification of the Derivate 6 of the shared secret 5 using Additional data 16 developed earlier by the External authentication system 11 on side A and passed to the Target application 7 on side A .
  • the Target application 8 on side B On request of the Target application 8 on side B there is calculated the Derivate 6 of the shared secret 5 by the Ending 4 of the data channel 1 on side B. It is passed to the Target application 8 on side B, which performs the modification of the Derivate 6 of the shared secret 5 using Additional data 16 and passes via the External interface 15 o the External authentication system 12 on side B the modified Derivate 6 of the shared secret 5.
  • the selected method of calculation guarantees that modification of the Derivate 6 of the shared secret 5 performed by the Target application 8 on side B using the original Derivate 6 of the shared secret 5 and Additional data 16 has got the same value as the modification calculated by the External authentication system 11 on side A, in case of all the inputs to be identical.
  • Another way of authentication of the secured data channel 1 using external authentication may be performed e.g. in such a way that Ending 3 of the data channel 1 on side A is performed as an internal part of the target application 7 on side A respectively that Ending 4 of the Data channel 1 on side B is performed as an internal part of the target application 8 on side B.
  • the relevant data transfers in this example are performed inside of the target application in an analogical way as described in previous examples.
  • the way of authentication of passed data derived from non-authenticated shared secret 5 of the data channel 1 using of the External authentication system 2 may be performed for example as follows:
  • the way of authentication of passed data derived from non-authenticated shared secret of the data channel using the External authentication system 2 may be performed for example as follows:
  • way of authentication of passed data derived from non-authenticated shared secret 5 of the data channel 1 using the External authentication system 2 may be performed for example in such a way that given data derived from non-authorised shared secret 5 of the data channel 1 are used by the External authentication system 2 for user's authentication in such a way that they replace the challenge in using the authentication protocols of the challenge - response type. In this way, there is cryptographically connected the authentication of the user and the authentication of the data channel.
  • the invention can be used in any field of necessary application of authenticated secured data channel.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)
  • Mobile Radio Communication Systems (AREA)

Claims (15)

  1. Verfahren zur Authentifizierung eines sicheren Datenkanals zwischen zwei Teilnehmern (A, B), dadurch gekennzeichnet, dass erstens ein nicht authentifizierter sicherer Datenkanal (1), der ein Ende (3) des Datenkanals (1) auf der einer ersten Seite (A) und ein anderes Ende (4) des Datenkanals (1) auf der anderen Seite (B) und eine Zielapplikation (7) auf der ersten Seite (a) und eine Zielapplikation (8) auf der anderen Seite (B) aufweist, gebildet wird, wobei die Enden (3, 4) ein nicht authentifiziertes gemeinsames Geheimnis (5) aufweisen und anschließend werden auf beiden Seiten (A, B) des Datenkanals (1) die aus einem nicht authentifizierten gemeinsamen Geheimnis (5) abgeleiteten Daten berechnet, dann werden die aus einem nicht authentifizierten gemeinsamen Geheimnis (5) abgeleiteten Daten auf jeder Seite (A, B) mit Hilfe von externen Kommunikationsmittel außerhalb des Datenkanals (1) in die zwei Seiten (11, 12) eines externen Authentifizierungssystems (2) übertragen, das dann die Authentifizierung der Kommunikationsteilnehmer (A, B) durchführt, einschließlich der Authentifizierung des Datenkanals (1),
    wobei das externe Authentifizierungssystem ieweils ein System, ein Set von Programmen und Einrichtunpen oder ein elektronisches System, das fähig ist, unabhängig die Authentifizierung der Benutzer oder Systeme durchzuführen, ist.
  2. Verfahren nach Anspruch 1, dadurch gekennzeichnet, dass die aus einem nicht authentifizierten gemeinsamen Geheimnis (5) abgeleiteten Daten so erworben werden, dass die Enden (3, 4) ein Derivat (6) des nicht authentifizierten gemeinsamen Geheimnis (5) berechnen, oder die Enden (3, 4) ein Derivat (6) des nicht authentifizierten gemeinsamen Geheimnis (5) und den Zusatzdaten (14) berechnen; und das Derivat (6) wird dann eventuell durch die Zusatzdaten (16) weiter modifiziert.
  3. Verfahren nach Anspruch 2, dadurch gekennzeichnet, dass die Modifizierung eines Derivats (6) des nicht authentifizierten gemeinsamen Geheimnisses (5) auf jeder Seite (A, B) unabhängig von mindestens einer Komponente durchgeführt wird, diese Komponente wird aus einer Gruppe ausgewählt, die aus den Enden (3, 4) des Datenkanals (1), der Zielapplikation (7, 8) und einer Seite (11, 12) eines externen Authentifizierungssystems (2) besteht.
  4. Verfahren nach Anspruch 2, dadurch gekennzeichnet, dass die Zusatzdaten (14) und/oder die nachträglichen Daten (16) auf jeder Seite (A, B) unabhängig von mindestens einer Komponente gebildet werden, diese Komponente wird aus einer Gruppe ausgewählt, die aus den Enden (3, 4) des Datenkanals (1), der Zielapplikation (7, 8) und einer Seite (11, 12) eines externen Authentifizierungssystems (2) besteht.
  5. Verfahren nach Anspruch 2, dadurch gekennzeichnet, dass die aus einem nicht authentifizierten gemeinsamen Geheimnis (5) abgeleiteten Daten so erworben werden, dass die Enden (3, 4) ein Derivat (6) des nicht authentifizierten gemeinsamen Geheimnis (5) berechnen.
  6. Verfahren nach Anspruch 2, dadurch gekennzeichnet, dass die aus einem nicht authentifizierten gemeinsamen Geheimnis (5) abgeleiteten Daten so erworben werden, dass die Enden (3, 4) ein Derivat (6) aus dem nicht authentifizierten gemeinsamen Geheimnis (5) und den Zusatzdaten (14) berechnen.
  7. Verfahren nach Anspruch 2, dadurch gekennzeichnet, dass die aus einem nicht authentifizierten gemeinsamen Geheimnis (5) abgeleiteten Daten so erworben werden, dass die Enden (3, 4) ein Derivat (6) des nicht authentifizierten gemeinsamen Geheimnis (5) berechnen, und anschließend wird dieses Derivat (6) von den Zielapplikationen (7) und (8) durch zusätzliche Daten (16) modifiziert.
  8. Verfahren nach Anspruch 2, dadurch gekennzeichnet, dass die aus einem nicht authentifizierten gemeinsamen Geheimnis (5) abgeleiteten Daten so erworben werden, dass die Enden (3, 4) ein Derivat (6) aus dem nicht authentifizierten gemeinsamen Geheimnis (5) und den Zusatzdaten (14) berechnen, und anschließend wird es von den Zielapplikationen (7) und (8) durch zusätzliche Daten (16) modifiziert.
  9. Verfahren nach Anspruch 1, dadurch gekennzeichnet, dass die Authentifizierung der aus einem nicht authentifizierten gemeinsamen Geheimnis (5) abgeleiteten Daten mit Hilfe von einem externen Authentifizierungssystem (2) mit Hilfe von einer einen authentifizierten Signaturschlüssel des Benutzers und/oder des Systems verwendenden kryptographischen Signatur durchgeführt wird.
  10. Verfahren nach Anspruch 1, dadurch gekennzeichnet, dass die Authentifizierung der aus einem nicht authentifizierten gemeinsamen Geheimnis (5) abgeleiteten Daten mit Hilfe von einem externen Authentifizierungssystem (2) mit Hilfe von einer Verschlüsselung mit Hilfe von einem authentifizierten Signaturschlüssel des Benutzers und/oder des Systems durchgeführt wird.
  11. Verfahren nach Anspruch 1, dadurch gekennzeichnet, dass die Authentifizierung der aus einem nicht authentifizierten gemeinsamen Geheimnis (5) abgeleiteten Daten mit Hilfe von einem externen Authentifizierungssystem (2) mit Hilfe vom Vergleich der Derivate, die von aus einem nicht authentifizierten gemeinsamen Geheimnis (5) abgeleiteten Daten gebildet werden und des authentifizierten gemeinsamen Geheimnisses des Benutzers und/oder des Systems.
  12. Verfahren nach Anspruch 1, dadurch gekennzeichnet, dass die Authentifizierung der aus einem nicht authentifizierten gemeinsamen Geheimnis (5) abgeleiteten Daten mit Hilfe von einem externen Authentifizierungssystem (2) mit Hilfe von einer einen vorübergehenden Signaturschlüssel, der bei der Authentifizierung des Benutzers und/oder des Systems mit Hilfe von einem externen Authentifizierungssystem (2) authentifiziert worden ist, verwendenden kryptographischen Signatur, durchgeführt wird.
  13. Verfahren nach Anspruch 1, dadurch gekennzeichnet, dass die Authentifizierung der aus einem nicht authentifizierten gemeinsamen Geheimnis (5) abgeleiteten Daten mit Hilfe von einem externen Authentifizierungssystem (2) mit Hilfe von einer Verschlüsselung mit Hilfe von einem bei der Authentifizierung des Benutzers und/oder des Systems Daten mit Hilfe von einem externen Authentifizierungssystem (2) authentifizierten vorübergehenden Verschlüsselungsschlüssels durchgeführt wird.
  14. Verfahren nach Anspruch 1, dadurch gekennzeichnet, dass die Authentifizierung der aus einem nicht authentifizierten gemeinsamen Geheimnis (5) abgeleiteten Daten mit Hilfe von einem externen Authentifizierungssystem (2) mit Hilfe vom Vergleich der Derivate, die von aus einem nicht authentifizierten gemeinsamen Geheimnis (5) abgeleiteten Daten gebildet werden und des bei der Authentifizierung des Benutzers und/oder des Systems mit Hilfe von einem externen Authentifizierungssystem (2) authentifizierten vorübergehenden Geheimnisses durchgeführt wird.
  15. Verfahren nach Anspruch 1, dadurch gekennzeichnet, dass die Authentifizierung der aus einem nicht authentifizierten gemeinsamen Geheimnis (5) abgeleiteten Daten mit Hilfe von einem externen Authentifizierungssystem (2) so durchgeführt wird, dass das externe Authentifizierungssystem (2) zur Authentifizierung des Benutzers die aus einem nicht authentifizierten gemeinsamen Geheimnis (5) abgeleiteten übertragenen Daten des Datenkanals (1) so verwendet, dass es mit diesen die Aufforderung bei der Verwendung von Authentifizierungsprotokollen des Typs Aufforderung-Antwort ersetzt.
EP14741499.9A 2013-05-22 2014-05-21 Authentifizierung eines gesicherten datenkanals mit hilfe eines geteilten geheimnisses Active EP3000216B1 (de)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CZ2013-373A CZ2013373A3 (cs) 2013-05-22 2013-05-22 Způsob autentizace bezpečného datového kanálu
PCT/CZ2014/000058 WO2014187436A1 (en) 2013-05-22 2014-05-21 Secured data channel authentication implying a shared secret

Publications (2)

Publication Number Publication Date
EP3000216A1 EP3000216A1 (de) 2016-03-30
EP3000216B1 true EP3000216B1 (de) 2018-01-31

Family

ID=51211457

Family Applications (1)

Application Number Title Priority Date Filing Date
EP14741499.9A Active EP3000216B1 (de) 2013-05-22 2014-05-21 Authentifizierung eines gesicherten datenkanals mit hilfe eines geteilten geheimnisses

Country Status (9)

Country Link
US (1) US10091189B2 (de)
EP (1) EP3000216B1 (de)
JP (1) JP2016522637A (de)
KR (1) KR20160013135A (de)
CN (1) CN105612728B (de)
BR (1) BR112015028638A2 (de)
CZ (1) CZ2013373A3 (de)
RU (1) RU2645597C2 (de)
WO (1) WO2014187436A1 (de)

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CZ2013373A3 (cs) 2013-05-22 2014-12-03 Anect A.S. Způsob autentizace bezpečného datového kanálu
CZ309308B6 (cs) 2013-07-12 2022-08-17 Aducid S.R.O. Způsob zadávání tajné informace do elektronických digitálních zařízení
CZ2015472A3 (cs) 2015-07-07 2017-02-08 Aducid S.R.O. Způsob navazování chráněné elektronické komunikace, bezpečného přenášení a zpracování informací mezi třemi a více subjekty
JP2018023029A (ja) * 2016-08-04 2018-02-08 株式会社 エヌティーアイ 通信システム、通信用クライアント、通信用サーバ、通信方法、プログラム
CZ2016832A3 (cs) * 2016-12-23 2018-02-07 Aducid S.R.O. Způsob vícefaktorové autentizace
CZ2020271A3 (cs) 2020-05-14 2021-11-24 Aducid S.R.O. Programový systém a způsob autentizace
CZ2021366A3 (cs) 2021-08-04 2023-02-15 Aducid S.R.O. Systém a způsob pro řízený přístup k cílové aplikaci

Family Cites Families (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7386878B2 (en) * 2002-08-14 2008-06-10 Microsoft Corporation Authenticating peer-to-peer connections
JP4430915B2 (ja) * 2003-10-09 2010-03-10 日本電信電話株式会社 タグ装置、個人認証装置、リーダー装置、タグ認証方法及びプログラム
US20050120213A1 (en) 2003-12-01 2005-06-02 Cisco Technology, Inc. System and method for provisioning and authenticating via a network
US7761710B2 (en) * 2005-04-05 2010-07-20 Mcafee, Inc. Captive portal system and method for use in peer-to-peer networks
US7814538B2 (en) * 2005-12-13 2010-10-12 Microsoft Corporation Two-way authentication using a combined code
JP4978166B2 (ja) * 2006-11-21 2012-07-18 ソニー株式会社 発券管理システム,提供サーバ及び利用管理サーバ
JP4963425B2 (ja) * 2007-02-23 2012-06-27 日本電信電話株式会社 セッション鍵共有システム、第三者機関装置、要求側装置、および応答側装置
RU2367007C2 (ru) * 2007-08-30 2009-09-10 Станислав Антонович Осмоловский Способ передачи и комплексной защиты информации
US8776176B2 (en) * 2008-05-16 2014-07-08 Oracle America, Inc. Multi-factor password-authenticated key exchange
US8156334B2 (en) * 2008-08-12 2012-04-10 Texas Instruments Incorporated Public key out-of-band transfer for mutual authentication
US8260883B2 (en) * 2009-04-01 2012-09-04 Wimm Labs, Inc. File sharing between devices
JP2012060366A (ja) * 2010-09-08 2012-03-22 Nec Corp 通信システム、通信方法、およびコンピュータ・プログラム
JP5889525B2 (ja) * 2010-12-21 2016-03-22 パナソニックIpマネジメント株式会社 認証システム
CZ2013373A3 (cs) 2013-05-22 2014-12-03 Anect A.S. Způsob autentizace bezpečného datového kanálu

Also Published As

Publication number Publication date
RU2645597C2 (ru) 2018-02-21
WO2014187436A1 (en) 2014-11-27
US20160119317A1 (en) 2016-04-28
KR20160013135A (ko) 2016-02-03
CZ2013373A3 (cs) 2014-12-03
RU2015150542A (ru) 2017-06-27
CN105612728B (zh) 2019-04-23
CN105612728A (zh) 2016-05-25
BR112015028638A2 (pt) 2017-07-25
EP3000216A1 (de) 2016-03-30
US10091189B2 (en) 2018-10-02
JP2016522637A (ja) 2016-07-28

Similar Documents

Publication Publication Date Title
US11757662B2 (en) Confidential authentication and provisioning
EP3000216B1 (de) Authentifizierung eines gesicherten datenkanals mit hilfe eines geteilten geheimnisses
EP2639997B1 (de) Verfahren und System für sicheren Zugriff eines ersten Computers auf einen zweiten Computer
CN111512608B (zh) 基于可信执行环境的认证协议
CN109729523B (zh) 一种终端联网认证的方法和装置
US9225702B2 (en) Transparent client authentication
US8397281B2 (en) Service assisted secret provisioning
US20110179478A1 (en) Method for secure transmission of sensitive data utilizing network communications and for one time passcode and multi-factor authentication
JP6927981B2 (ja) パスコード検証のためのフォワードセキュア型暗号技術を使用した方法、システム、及び装置。
Echeverría et al. Establishing trusted identities in disconnected edge environments
KR101531662B1 (ko) 사용자 단말과 서버간 상호 인증 방법 및 시스템
Tzemos et al. Security and efficiency analysis of one time password techniques
US8356175B2 (en) Methods and apparatus to perform associated security protocol extensions
Nishimura et al. Secure authentication key sharing between mobile devices based on owner identity
Reimair et al. MoCrySIL-Carry your Cryptographic keys in your pocket
US9876774B2 (en) Communication security system and method
Kim et al. A secure channel establishment method on a hardware security module
CN110768792B (zh) 主密钥生成方法、装置及敏感安全参数的加解密方法
Hoeper et al. An inconvenient truth about tunneled authentications
Mathisen Confidential
Hsieh et al. An Improved Mutual Authentication Mechanism for Securing Smart Phones

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

17P Request for examination filed

Effective date: 20151124

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

AX Request for extension of the european patent

Extension state: BA ME

17Q First examination report despatched

Effective date: 20161124

GRAP Despatch of communication of intention to grant a patent

Free format text: ORIGINAL CODE: EPIDOSNIGR1

INTG Intention to grant announced

Effective date: 20170818

RAP1 Party data changed (applicant data changed or rights of an application transferred)

Owner name: ADUCID S.R.O.

GRAS Grant fee paid

Free format text: ORIGINAL CODE: EPIDOSNIGR3

GRAA (expected) grant

Free format text: ORIGINAL CODE: 0009210

AK Designated contracting states

Kind code of ref document: B1

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

AX Request for extension of the european patent

Extension state: BA ME

REG Reference to a national code

Ref country code: GB

Ref legal event code: FG4D

Ref country code: CH

Ref legal event code: EP

REG Reference to a national code

Ref country code: AT

Ref legal event code: REF

Ref document number: 968290

Country of ref document: AT

Kind code of ref document: T

Effective date: 20180215

REG Reference to a national code

Ref country code: IE

Ref legal event code: FG4D

REG Reference to a national code

Ref country code: DE

Ref legal event code: R096

Ref document number: 602014020425

Country of ref document: DE

REG Reference to a national code

Ref country code: FR

Ref legal event code: PLFP

Year of fee payment: 5

REG Reference to a national code

Ref country code: NL

Ref legal event code: MP

Effective date: 20180131

REG Reference to a national code

Ref country code: LT

Ref legal event code: MG4D

REG Reference to a national code

Ref country code: AT

Ref legal event code: MK05

Ref document number: 968290

Country of ref document: AT

Kind code of ref document: T

Effective date: 20180131

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: ES

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20180131

Ref country code: FI

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20180131

Ref country code: HR

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20180131

Ref country code: NL

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20180131

Ref country code: LT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20180131

Ref country code: NO

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20180430

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: BG

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20180430

Ref country code: IS

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20180531

Ref country code: LV

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20180131

Ref country code: SE

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20180131

Ref country code: AT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20180131

Ref country code: RS

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20180131

Ref country code: GR

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20180501

Ref country code: PL

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20180131

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: RO

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20180131

Ref country code: EE

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20180131

Ref country code: AL

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20180131

REG Reference to a national code

Ref country code: DE

Ref legal event code: R097

Ref document number: 602014020425

Country of ref document: DE

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: DK

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20180131

Ref country code: SM

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20180131

Ref country code: SK

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20180131

PLBE No opposition filed within time limit

Free format text: ORIGINAL CODE: 0009261

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: NO OPPOSITION FILED WITHIN TIME LIMIT

REG Reference to a national code

Ref country code: CH

Ref legal event code: PL

26N No opposition filed

Effective date: 20181102

REG Reference to a national code

Ref country code: BE

Ref legal event code: MM

Effective date: 20180531

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: MC

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20180131

REG Reference to a national code

Ref country code: IE

Ref legal event code: MM4A

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: SI

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20180131

Ref country code: LI

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20180531

Ref country code: CH

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20180531

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: LU

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20180521

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: IE

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20180521

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: BE

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20180531

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: MT

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20180521

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: PT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20180131

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: HU

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT; INVALID AB INITIO

Effective date: 20140521

Ref country code: MK

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20180131

Ref country code: CY

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20180131

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: IT

Payment date: 20210414

Year of fee payment: 8

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: TR

Payment date: 20210401

Year of fee payment: 8

REG Reference to a national code

Ref country code: DE

Ref legal event code: R079

Ref document number: 602014020425

Country of ref document: DE

Free format text: PREVIOUS MAIN CLASS: H04L0029060000

Ipc: H04L0065000000

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: IT

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20220521

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: DE

Payment date: 20230531

Year of fee payment: 10

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: CZ

Payment date: 20240321

Year of fee payment: 11

Ref country code: GB

Payment date: 20240320

Year of fee payment: 11

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: FR

Payment date: 20240327

Year of fee payment: 11